Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    290s
  • max time network
    304s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-09-2023 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x9391797.exe

  • Size

    321KB

  • MD5

    dba7de05cbeabdc859adfc5b6498a558

  • SHA1

    653ebef6f9214b020def4354caa166457dcb8bcb

  • SHA256

    3f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c

  • SHA512

    dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c

  • SSDEEP

    6144:KYy+bnr+ap0yN90QE9WaMye34ulHCg2c+SeaKuKk:sMrOy90xMygHBqL9aKux

Score
10/10
healerredlineblackdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes
  • auth_value

    c5887216cebc5a219113738140bc3047

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x9391797.exe
    "C:\Users\Admin\AppData\Local\Temp\x9391797.exe"
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
      • Executes dropped EXE
      PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
    Filesize

    236KB

    MD5

    9dc867c2adacdd76b2324bc47467f83c

    SHA1

    f3decfe079b8dc76d536de7ca9aeec2c0da18d72

    SHA256

    5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

    SHA512

    0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
    Filesize

    236KB

    MD5

    9dc867c2adacdd76b2324bc47467f83c

    SHA1

    f3decfe079b8dc76d536de7ca9aeec2c0da18d72

    SHA256

    5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

    SHA512

    0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
    Filesize

    174KB

    MD5

    17061663123df86496cfa24e531b4127

    SHA1

    446ad405b223ce6e9197ec7ef814516d9d99caa8

    SHA256

    da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

    SHA512

    b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
    Filesize

    174KB

    MD5

    17061663123df86496cfa24e531b4127

    SHA1

    446ad405b223ce6e9197ec7ef814516d9d99caa8

    SHA256

    da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

    SHA512

    b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

    Download Submit
  • memory/2596-16-0x00000000731D0000-0x00000000738BE000-memory.dmp
    Filesize

    6MB

    Download
  • memory/2596-7-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2596-32-0x00000000731D0000-0x00000000738BE000-memory.dmp
    Filesize

    6MB

    Download
  • memory/2596-47-0x00000000731D0000-0x00000000738BE000-memory.dmp
    Filesize

    6MB

    Download
  • memory/5052-14-0x0000000000A40000-0x0000000000A70000-memory.dmp
    Filesize

    192KB

    Download
  • memory/5052-15-0x00000000731D0000-0x00000000738BE000-memory.dmp
    Filesize

    6MB

    Download
  • memory/5052-17-0x0000000005200000-0x0000000005206000-memory.dmp
    Filesize

    24KB

    Download
  • memory/5052-18-0x0000000005B00000-0x0000000006106000-memory.dmp
    Filesize

    6MB

    Download
  • memory/5052-19-0x0000000005600000-0x000000000570A000-memory.dmp
    Filesize

    1MB

    Download
  • memory/5052-20-0x0000000005290000-0x00000000052A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/5052-21-0x0000000005530000-0x000000000556E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/5052-26-0x0000000005570000-0x00000000055BB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/5052-31-0x00000000731D0000-0x00000000738BE000-memory.dmp
    Filesize

    6MB

    Download